Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 6.0) - Index [Cisco Services Modules]

Table Of Contents

Symbols - Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W - X - Z

Index

Symbols

# (number sign) 11-4

* (wildcard) 3-7, 5-5, 11-3

Numerics

1-Gbps and 2-Gbps bandwidth options

displaying software license key 12-2

displaying software version 12-2

understanding 1-6

upgrading to 2 Gbps 13-16

2-Gbps operation upgrade

activating additional data port 13-18

regenerating SSL certificates 13-18

A

AAA

accounting 4-12

authentication 4-5

authorization 4-10

configuring 4-3

aaa accounting command 4-12

aaa authentication command 4-5

aaa authorization command 4-10

accounting, configuring 4-12

action command 7-18

action flow 11-6

add-service command 7-9

admin privilege level 3-2, 4-6

always-accept 7-19

always-ignore 7-20

anomaly

detected 11-2

flow 11-3

anomaly detection engine memory usage 12-23, 12-25

AP

booting to 2-12

clearing configuration 13-19

clearing passwords 13-19, 13-22

upgrading 13-10

upgrading, inline 13-13

application partition

See AP

attack report

copying 11-7

detected anomalies 11-2

exporting 11-6, 11-7, 13-6

exporting automatically 11-6

layout 11-1

notify 11-4

statistics 11-2

timing 11-1

viewing 11-4

attack types 11-5

authentication, configuring 4-5

authorization

configuring 4-8, 4-9

disabling zone command completion 4-12, 5-6

auth packet types 7-11

automatic detect mode 1-5

automatic protection mode 9-3

automatic protect mode 9-3, 10-1

B

bandwidth options

displaying software license key 12-2

displaying software version 12-2

understanding 1-6

upgrading to 2 Gbps 13-16

banner, configuring login 4-30

Berkeley Packet filter 6-7

boot command 2-11

burn flash 13-15

bypass filter

command 6-10

configuring 6-10

definition 1-5, 6-1

deleting 6-12

displaying 6-11

C

capture, packets 12-13

caution, symbol overview 1-xvii

CFE 13-11, 13-14, 13-15

clear ap config command 13-19

clear ap password command 13-19, 13-22

clear counters command 3-9, 12-5

clear log command 12-10

CLI

changing prompt 4-25

command shortcuts 3-7

error messages 3-5

getting help 3-6

issuing commands 3-4

TAB completion 3-6

using 3-1

command completion 4-12

command line interface

See CLI 3-1

commands, deactivating 3-5

command shortcuts 3-7

config privilege level 3-2, 4-6

configuration, supervisor engine

saving 2-1

configuration file

copying 13-3

exporting 13-3

importing 13-4

viewing 12-3

configuration mode

accessing 4-11

described 3-2

configure command 2-9, 3-7

constructing policies 8-4

copy commands

ftp running-config 13-4

log 12-7, 12-9

packet-dump 12-15

reports 11-7

running-config 5-14, 13-3

zone log 12-9

copy-from-this 5-5

copy guard-running-config command 5-14, 5-16

copy login-banner command 4-31

copy-policies command 8-16

copy wbm-logo command 4-32

counters

clearing 3-9, 12-5

history 12-5

counters, viewing 12-5

cpu utilization 12-24

D

DDoS

nonspoofed attacks 1-3

overview 1-2

spoofed attacks 1-3

zombies 1-3

deactivate command 9-5

deactivating commands 3-5

default configuration, returning to 13-19

default-gateway command 3-10

description command 5-6

detect

automatic mode 1-5

interactive mode 1-5, 9-3

detect command 9-4

detected

anomalies 11-2

flow 11-6

detected attack 11-5

DETECTOR_DEFAULT 5-2

DETECTOR_WORM 5-2

diff command 8-13, 8-14

disable command 7-6

disabling, automatic export 13-7

DNS

detected anomalies 11-2

TCP policy templates 7-2

tcp protocol flow 11-5

dst-ip-by-ip activation form 9-4, 9-7

dst-ip-by-name activation form 9-3

dst traffic characteristics 7-11

dynamic filter

1000 and more 6-13

command 6-15, 6-16, 9-9

definition 1-5

deleting 6-15

displaying 6-13

displaying events 12-8

overview 6-2, 6-12

preventing production of 6-16

sorting 6-13

worm 7-22

dynamic filters 10-1

dynamic privilege level 3-2, 4-6

E

enable

command 4-10, 7-6

password command 4-9

enabling services 4-2

entire-zone activation form 9-3

event log

activating 12-7

deactivating 12-7

event monitor command 12-7

export, disabling automatic 13-7

export command 13-6

packet-dump 12-15

reports 11-7

exporting

configuration file 13-3

log file 12-9

reports automatically 11-6

exporting GUARD configuration 5-14, 5-16

export sync-config command 5-16

extracting signatures 12-19

F

facility 12-8

file server

configuring 13-2

displaying sync-config 13-8

file-server

command 5-16, 13-2

configuring 13-2

deleting 13-3

displaying 13-3, 13-8

displaying sync-config 5-16, 13-7

filters

bypass 1-5, 6-10

dynamic 1-5, 6-2, 6-12

flex-content 1-5, 6-2

fixed-threshold 7-15

flash-burn command 13-16

flex-content filter

configuring 6-3

definition 1-5, 6-1

displaying 6-9

filtering criteria 6-2

renumbering 6-3

fragments 11-5

detected anomalies 11-2

policy template 7-2

G

generating signatures 12-19

global mode 3-2

global traffic characteristics 7-11

Guard

configuration mode 3-3

exporting configuration 13-6

GUARD_DEFAULT 5-3

GUARD_LINK 5-3

GUARD_TCP_NO_PROXY 5-3

GUARD_ zone policy template 7-3

guard-conf command 5-10

GUARD configuration, exporting 5-14, 5-16

GUARD configuration, importing 5-14

Guard-protection activation methods 9-3

H

histogram command 7-21

host, logging 12-8

host keys

deleting 4-19

host keys, deleting 4-20

hostname

changing 4-25

command 4-25

HTTP

detected anomalies 11-2

policy template 7-2

hw-module command 13-10, 13-11, 13-12, 13-14, 13-18, 13-21

hw-module commands 2-11

hybrid 11-5

I

idle session, configuring timeout 4-33

idle session, displaying timeout 4-33

importing GUARD configuration 5-14

inline upgrade 13-13

in packet types 7-11

installation, verifying 2-2

interactive

operation mode 10-3

policy status 7-20

interactive detect mode 1-5, 9-3

interactive protect mode 10-1

interactive-status command 7-19

interface

activating 3-8, 3-9

clearing counters 3-9

command 3-8

configuration mode 3-3

configuring IP address 3-8

IP address

modifying, zone 5-8

ip address command

deleting 5-8

excluding 5-7

interface 3-8

zone 5-7

ip route command 3-10

IP scan 11-5

detected anomalies 11-2

policy template 7-2

IP threshold configuration 7-17

K

key, generating for license 13-17

key command

add 4-21, 4-23

generate 4-21, 4-24

remove 4-24

key publish command 4-21, 4-22

L

learning

command 8-5, 8-7

constructing policies 8-4

overview 8-1

policy-construction command 8-4

synchronizing results 8-3

terminating process 8-5, 8-7

threshold-tuning command 8-6

tuning thresholds 8-6

learning accept command 8-5, 8-6

learning parameters, displaying 8-8

learning-params

deactivating periodic action 8-7

deactivating periodic-action command 8-5

periodic-action command 5-12, 8-5, 8-7, 8-8

threshold-multiplier command 7-15

threshold-selection command 8-6, 8-9

threshold-tuned command 5-8, 8-10

learning-params command 5-11, 5-16

learning-params fixed-threshold command 7-15

licenses

generating key 13-17

ordering XG upgrade license 13-17

LINK templates 8-4

log file

clearing 12-10

exporting 12-7, 12-9

viewing 12-9

logging, viewing configuration 12-9

logging command 12-8

login banner

configuring 4-30

deleting 4-31

importing 4-31

login-banner command 4-30

logo

adding WBM 4-32

deleting WBM 4-33

M

maintenance partition

See MP

management

MDM 3-13

overview 3-11

port 2-2

SSH 3-13

VLAN 2-2

WBM 3-11

max-services command 7-5

MDM, activating 3-13

memory consumption 12-23

memory usage, anomaly detection engine 12-23, 12-25

min-threshold command 7-6

monitoring, network traffic 12-15

MP

booting to 2-11

upgrading 13-12

upgrading, inline 13-13

mtu command 3-9

N

netstat command 12-26

network server

configuring 13-2

deleting 13-3

displaying 13-3, 13-8

displaying sync-config 5-16, 13-7, 13-8

network server, configuring 13-2

no learning command 8-5, 8-7

non_estb_conns packet type 7-11

nonspoofed attacks 1-3

no proxy policy templates 7-4

note, symbol overview 1-xvii

notify 11-4

notify policy action 7-19

ns policy templates 7-4

O

other protocols

detected anomalies 11-2

policy template 7-3

out_pkts packet types 7-11

P

packet-dump

auto-capture command 12-13

automatic

activating 12-12

deactivating 12-13

displaying settings 12-13

exporting 12-15, 13-6

signatures 12-20

packet-dump command 12-13

packets, capturing 12-13

password

changing 4-7

enabling 4-9

encrypted 4-6

recovering 13-19, 13-22

pending 10-1

pending dynamic filters 10-1, 10-2

displaying 10-3, 10-5

periodic action

accepting policies automatically 8-5, 8-7

deactivating 8-5, 8-7

permit

command 3-11, 3-13, 4-3

permit ssh command 4-20

ping command 12-30

pkts packet type 7-11

policy

action 7-12, 7-18, 7-19

activating 7-13

adding services 7-9

backing up current 7-25, 8-17

command 7-12

configuration mode 3-3

constructing 1-4, 8-2, 8-4

copying parameters 8-16

copy-policies 8-16

deleting services 7-9

disabling 7-13

inactivating 7-13

learning-params, fixed-threshold command 7-15

marking as tuned 5-8, 8-10

marking threshold as fixed 7-15

multiplying thresholds 7-16

navigating path 7-12

packet types 7-10

show statistics 7-24

state 7-13

threshold 7-12, 7-14

threshold-list command 7-17

timeout 7-12, 7-18

traffic characteristics 7-11

tuning thresholds 1-4, 8-2, 8-6

using wildcards 7-12, 7-23, 7-24

viewing statistics 8-8

policy set-timeout command 7-18

policy template

command 7-4, 7-6

configuration command level 7-4

configuration mode 3-3

displaying list 7-4

Guard policy templates for synchronization 7-3

max-services 7-5

min-threshold 7-6

overview 7-2

parameters 7-4

state 7-6

worm_tcp 7-4

policy-template add-service command 7-9

policy-template remove service command 7-9

policy-type activation form 9-4

port scan 11-5

detected anomalies 11-2

policy template 7-3

power enable command 2-11

privilege levels 3-2

assigning passwords 4-9

moving between 4-10

protect

activation methods 9-3

automatic mode 9-3, 10-1

deactivating 9-5

interactive mode 10-1

protect command 9-5

protection-end-timer 9-7, 9-8

protect-ip-state command 9-3

protect learning command 8-6

protocol traffic characteristics 7-11

proxy policy templates, no proxy policy templates 7-4

public key, displaying 4-24

R

rates

history 12-4

viewing 12-4

reactivate-zones 13-8

rebooting parameters 13-8

recommendations 10-1

accepting 10-7

activating 10-3, 10-6

change decision 7-19

command 10-6

deactivating 10-3, 10-8

dynamic filters 10-1

ignoring 10-7

overview 10-1

viewing 10-4

viewing pending-filters 10-3, 10-5

reload command 13-8

remote-activate policy action 7-19

remote Guard

activating 6-14

terminating protection 9-7, 9-8

remote-guard command 9-7, 9-8

remote Guard list

displaying 9-7, 9-8

remote Guards

activating 9-5

default list 9-7

list 9-8

list activation order 9-8

remove service command 7-9

renumbering flex-content filters 6-3

report

See attack report 11-1

reports

details 11-4

exporting 13-6

reqs packet type 7-11

reset command 2-11

router configuration mode 3-3

routing table

manipulation 3-10

viewing 3-11

running-config

copy 5-14, 13-3

show 12-3

S

scanners traffic characteristics 7-12

service

adding 7-9

command 3-11, 3-13, 4-2

copy 8-16

deleting 7-9

MDM 3-13

permissions 4-3

snmp-trap 4-26

WBM 3-11

services, enabling 4-2

session, configuring timeout 4-33

session, displaying idle timeout 4-33

session timeout, disabling 4-33

session-timeout command 4-33

set-action 7-19

show commands

counters 12-5

cpu 12-24

diagnostic-info 12-22

dynamic-filters 6-13

file-servers 13-3, 13-8

flex-content-filter 6-9

host-keys 4-20, 4-23

learning parameters 8-8

learning-params 7-15

log 12-9

log export-ip 12-9

logging 12-9

login-banner 4-30

memory 12-23

module 2-2, 13-11, 13-12

packet-dump 12-13

packet-dump signatures 12-20

policies 7-23

policies statistics 7-24, 8-8

public-key 4-23, 4-24

rates 12-4

recommendations 10-4

recommendations pending-filters 10-3, 10-5

remote-guards 9-7, 9-8

reports details 11-4

running-config 12-3

show 12-4

sorting dynamic-filters 6-13

sync-config 5-16

sync-config file-servers 5-16, 13-7, 13-8

templates 5-5

zone policies 7-23

show privilege level 3-2, 4-6

show public-key command 4-25

shutdown command 3-9

signature

generating 12-19

snapshot

backing up policies 7-25, 8-17

command 8-12

comparing 8-13

deleting 8-15

displaying 8-15

overview 8-12

saving 8-12, 8-13

saving periodically 8-8

SNMP

configuring trap generator 4-26

traps description 4-27

snmp commands

community 4-29

trap-dest 4-26

software license key, displaying key information 12-2

software version number, displaying 12-2

SPAN, configuring 2-7

specific IP threshold 7-17

spoofed attacks 1-3

src traffic characteristics 7-12

SSH

configuring 3-13

deleting keys 4-24

generating key 4-21, 4-24

host key 4-22

service 3-13

viewing public key 4-23

ssh key, publishing 4-22

state command 7-13

static route, adding 3-10

supervisor engine

booting 2-11

configuring 2-1

powering off 2-11

resetting 2-11

saving configuration 2-1

shutting down 2-11

verifying configuration 2-12

syn_by_fin packet type 7-11

sync command 5-12, 5-13

synchronization

exporting configuration 13-6

syns packet type 7-11

syslog

configuring export parameters 12-8

configuring server 12-8

message format 12-8

system log, message format 12-8

T

TACACS+

authentication

key generate command 4-18

key publish command 4-21

clearing statistics 4-16

configuring server 4-13

server connection timeout 4-15

server encryption key 4-15

server IP address 4-14

viewing statistics 4-16

tacacs-server commands

clear statistics 4-16

first-hit 4-13

host 4-13, 4-14

key 4-13, 4-15

show statistics 4-16

timeout 4-13, 4-16

TCP

detected anomalies 11-2, 11-5

no proxy policy templates 7-4

policy templates 7-3

templates

LINK 8-4

viewing policies 5-5

zone 5-2

thresh-mult 7-16

threshold

command 7-14

configuring IP threshold 7-17

configuring list 7-17

configuring specific IP 7-17

marking as tuned 5-8, 8-10

multiplying before accepting 7-15

selection 8-12

setting as fixed 7-15

tuning 1-4, 8-2

worm 7-20

threshold-list command 7-17

threshold selection 8-6

threshold tuning

save results periodically 8-8

timeout command 7-18

timeout session, configuring 4-33

timeout session, disabling 4-33

timesaver, symbol overview 1-xvii

tip, symbol overview 1-xvii

traceroute command 12-29

traffic, monitoring 12-15

traffic sources

capturing 2-3

configuring 2-3

SPAN 2-3

VACL 2-3

trap 12-8

trap-dest 4-26

tuning policy thresholds 8-6

U

UDP

detected anomalies 11-3

policy templates 7-3

unauth_pkts packet type 7-11

unauthenticated TCP detected anomalies 11-3

upgrade command 13-19

upgrade license 13-17

upgrading

AP 13-10

inline 13-13

MP 13-12

user-detected anomalies 11-3

user filter

command 6-3

username

encrypted password 4-6

username command 4-6

users

adding 4-6

adding new 4-6

assigning privilege levels 4-6

deleting 4-8

privilege levels 3-2, 4-9

system users

admin 2-9

riverhead 2-9

username command 4-6

V

VACL, configuring 2-4

version, upgrading 13-19

W

WBM

activating 3-11

WBM logo

adding 4-32

deleting 4-33

worm

dynamic filter 7-22

identifying attack 7-22

overview 7-20

policy 7-11, 7-12

policy templates 7-3, 7-21

thresholds 7-20, 7-21

worm_tcp policy template 7-4

X

XG software image

license key 13-17

obtaining software image 13-17

XG software version, 2-Gbps operation 13-16

XML schema11-6to 11-8, 12-15, 13-7

Z

zombies 1-3

zone

anomaly detection 9-1

clearing counters 12-6

command 5-4, 5-5, 10-3

command completion 4-12, 5-6

comparing 8-14

configuration mode 3-3, 5-6

copying 5-5

creating 5-4

defining IP address 5-7

deleting 5-5

deleting IP address 5-8

duplicating 5-5

excluding IP address 5-7

exporting configuration 5-16

IP address 5-7

learning 8-1

LINK templates 8-4

modifying IP address 5-8

operation mode 5-5

reconfiguring 5-6

synchronize configuration 5-8

synchronizing automatically 5-11

synchronizing offline 5-14

templates 5-2

viewing configuration 5-7

viewing policies 7-23

viewing status 12-4

zone policy

marking as tuned 5-8, 8-10

zone synchronization 8-3

	Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 6.0)
	Index
Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 6.0) Index Preface Product Overview Configuring the Detector Module on the Supervisor Engine Initializing the Detector Module Configuring the Detector Configuring Zones Configuring Zone Filters Configuring Policy Templates and Policies Learning the Zone Traffic Characteristics Detecting Zone Traffic Anomalies Using Interactive Detect Mode Using Attack Reports Using Detector Module Diagnostics Tools Performing Maintenance Tasks	Download this chapter Index Download the complete book Cisco Traffic Anomaly Detector Module Configuration Guide (Software Version 6.0), Book-Length PDF (PDF - 6 MB) Feedback Table Of Contents Symbols - Numerics - A - B - C - D - E - F - G - H - I - K - L - M - N - O - P - R - S - T - U - V - W - X - Z Index Symbols # (number sign) 11-4 * (wildcard) 3-7, 5-5, 11-3 Numerics 1-Gbps and 2-Gbps bandwidth options displaying software license key 12-2 displaying software version 12-2 understanding 1-6 upgrading to 2 Gbps 13-16 2-Gbps operation upgrade activating additional data port 13-18 regenerating SSL certificates 13-18 A AAA accounting 4-12 authentication 4-5 authorization 4-10 configuring 4-3 aaa accounting command 4-12 aaa authentication command 4-5 aaa authorization command 4-10 accounting, configuring 4-12 action command 7-18 action flow 11-6 add-service command 7-9 admin privilege level 3-2, 4-6 always-accept 7-19 always-ignore 7-20 anomaly detected 11-2 flow 11-3 anomaly detection engine memory usage 12-23, 12-25 AP booting to 2-12 clearing configuration 13-19 clearing passwords 13-19, 13-22 upgrading 13-10 upgrading, inline 13-13 application partition See AP attack report copying 11-7 detected anomalies 11-2 exporting 11-6, 11-7, 13-6 exporting automatically 11-6 layout 11-1 notify 11-4 statistics 11-2 timing 11-1 viewing 11-4 attack types 11-5 authentication, configuring 4-5 authorization configuring 4-8, 4-9 disabling zone command completion 4-12, 5-6 auth packet types 7-11 automatic detect mode 1-5 automatic protection mode 9-3 automatic protect mode 9-3, 10-1 B bandwidth options displaying software license key 12-2 displaying software version 12-2 understanding 1-6 upgrading to 2 Gbps 13-16 banner, configuring login 4-30 Berkeley Packet filter 6-7 boot command 2-11 burn flash 13-15 bypass filter command 6-10 configuring 6-10 definition 1-5, 6-1 deleting 6-12 displaying 6-11 C capture, packets 12-13 caution, symbol overview 1-xvii CFE 13-11, 13-14, 13-15 clear ap config command 13-19 clear ap password command 13-19, 13-22 clear counters command 3-9, 12-5 clear log command 12-10 CLI changing prompt 4-25 command shortcuts 3-7 error messages 3-5 getting help 3-6 issuing commands 3-4 TAB completion 3-6 using 3-1 command completion 4-12 command line interface See CLI 3-1 commands, deactivating 3-5 command shortcuts 3-7 config privilege level 3-2, 4-6 configuration, supervisor engine saving 2-1 configuration file copying 13-3 exporting 13-3 importing 13-4 viewing 12-3 configuration mode accessing 4-11 described 3-2 configure command 2-9, 3-7 constructing policies 8-4 copy commands ftp running-config 13-4 log 12-7, 12-9 packet-dump 12-15 reports 11-7 running-config 5-14, 13-3 zone log 12-9 copy-from-this 5-5 copy guard-running-config command 5-14, 5-16 copy login-banner command 4-31 copy-policies command 8-16 copy wbm-logo command 4-32 counters clearing 3-9, 12-5 history 12-5 counters, viewing 12-5 cpu utilization 12-24 D DDoS nonspoofed attacks 1-3 overview 1-2 spoofed attacks 1-3 zombies 1-3 deactivate command 9-5 deactivating commands 3-5 default configuration, returning to 13-19 default-gateway command 3-10 description command 5-6 detect automatic mode 1-5 interactive mode 1-5, 9-3 detect command 9-4 detected anomalies 11-2 flow 11-6 detected attack 11-5 DETECTOR_DEFAULT 5-2 DETECTOR_WORM 5-2 diff command 8-13, 8-14 disable command 7-6 disabling, automatic export 13-7 DNS detected anomalies 11-2 TCP policy templates 7-2 tcp protocol flow 11-5 dst-ip-by-ip activation form 9-4, 9-7 dst-ip-by-name activation form 9-3 dst traffic characteristics 7-11 dynamic filter 1000 and more 6-13 command 6-15, 6-16, 9-9 definition 1-5 deleting 6-15 displaying 6-13 displaying events 12-8 overview 6-2, 6-12 preventing production of 6-16 sorting 6-13 worm 7-22 dynamic filters 10-1 dynamic privilege level 3-2, 4-6 E enable command 4-10, 7-6 password command 4-9 enabling services 4-2 entire-zone activation form 9-3 event log activating 12-7 deactivating 12-7 event monitor command 12-7 export, disabling automatic 13-7 export command 13-6 packet-dump 12-15 reports 11-7 exporting configuration file 13-3 log file 12-9 reports automatically 11-6 exporting GUARD configuration 5-14, 5-16 export sync-config command 5-16 extracting signatures 12-19 F facility 12-8 file server configuring 13-2 displaying sync-config 13-8 file-server command 5-16, 13-2 configuring 13-2 deleting 13-3 displaying 13-3, 13-8 displaying sync-config 5-16, 13-7 filters bypass 1-5, 6-10 dynamic 1-5, 6-2, 6-12 flex-content 1-5, 6-2 fixed-threshold 7-15 flash-burn command 13-16 flex-content filter configuring 6-3 definition 1-5, 6-1 displaying 6-9 filtering criteria 6-2 renumbering 6-3 fragments 11-5 detected anomalies 11-2 policy template 7-2 G generating signatures 12-19 global mode 3-2 global traffic characteristics 7-11 Guard configuration mode 3-3 exporting configuration 13-6 GUARD_DEFAULT 5-3 GUARD_LINK 5-3 GUARD_TCP_NO_PROXY 5-3 GUARD_ zone policy template 7-3 guard-conf command 5-10 GUARD configuration, exporting 5-14, 5-16 GUARD configuration, importing 5-14 Guard-protection activation methods 9-3 H histogram command 7-21 host, logging 12-8 host keys deleting 4-19 host keys, deleting 4-20 hostname changing 4-25 command 4-25 HTTP detected anomalies 11-2 policy template 7-2 hw-module command 13-10, 13-11, 13-12, 13-14, 13-18, 13-21 hw-module commands 2-11 hybrid 11-5 I idle session, configuring timeout 4-33 idle session, displaying timeout 4-33 importing GUARD configuration 5-14 inline upgrade 13-13 in packet types 7-11 installation, verifying 2-2 interactive operation mode 10-3 policy status 7-20 interactive detect mode 1-5, 9-3 interactive protect mode 10-1 interactive-status command 7-19 interface activating 3-8, 3-9 clearing counters 3-9 command 3-8 configuration mode 3-3 configuring IP address 3-8 IP address modifying, zone 5-8 ip address command deleting 5-8 excluding 5-7 interface 3-8 zone 5-7 ip route command 3-10 IP scan 11-5 detected anomalies 11-2 policy template 7-2 IP threshold configuration 7-17 K key, generating for license 13-17 key command add 4-21, 4-23 generate 4-21, 4-24 remove 4-24 key publish command 4-21, 4-22 L learning command 8-5, 8-7 constructing policies 8-4 overview 8-1 policy-construction command 8-4 synchronizing results 8-3 terminating process 8-5, 8-7 threshold-tuning command 8-6 tuning thresholds 8-6 learning accept command 8-5, 8-6 learning parameters, displaying 8-8 learning-params deactivating periodic action 8-7 deactivating periodic-action command 8-5 periodic-action command 5-12, 8-5, 8-7, 8-8 threshold-multiplier command 7-15 threshold-selection command 8-6, 8-9 threshold-tuned command 5-8, 8-10 learning-params command 5-11, 5-16 learning-params fixed-threshold command 7-15 licenses generating key 13-17 ordering XG upgrade license 13-17 LINK templates 8-4 log file clearing 12-10 exporting 12-7, 12-9 viewing 12-9 logging, viewing configuration 12-9 logging command 12-8 login banner configuring 4-30 deleting 4-31 importing 4-31 login-banner command 4-30 logo adding WBM 4-32 deleting WBM 4-33 M maintenance partition See MP management MDM 3-13 overview 3-11 port 2-2 SSH 3-13 VLAN 2-2 WBM 3-11 max-services command 7-5 MDM, activating 3-13 memory consumption 12-23 memory usage, anomaly detection engine 12-23, 12-25 min-threshold command 7-6 monitoring, network traffic 12-15 MP booting to 2-11 upgrading 13-12 upgrading, inline 13-13 mtu command 3-9 N netstat command 12-26 network server configuring 13-2 deleting 13-3 displaying 13-3, 13-8 displaying sync-config 5-16, 13-7, 13-8 network server, configuring 13-2 no learning command 8-5, 8-7 non_estb_conns packet type 7-11 nonspoofed attacks 1-3 no proxy policy templates 7-4 note, symbol overview 1-xvii notify 11-4 notify policy action 7-19 ns policy templates 7-4 O other protocols detected anomalies 11-2 policy template 7-3 out_pkts packet types 7-11 P packet-dump auto-capture command 12-13 automatic activating 12-12 deactivating 12-13 displaying settings 12-13 exporting 12-15, 13-6 signatures 12-20 packet-dump command 12-13 packets, capturing 12-13 password changing 4-7 enabling 4-9 encrypted 4-6 recovering 13-19, 13-22 pending 10-1 pending dynamic filters 10-1, 10-2 displaying 10-3, 10-5 periodic action accepting policies automatically 8-5, 8-7 deactivating 8-5, 8-7 permit command 3-11, 3-13, 4-3 permit ssh command 4-20 ping command 12-30 pkts packet type 7-11 policy action 7-12, 7-18, 7-19 activating 7-13 adding services 7-9 backing up current 7-25, 8-17 command 7-12 configuration mode 3-3 constructing 1-4, 8-2, 8-4 copying parameters 8-16 copy-policies 8-16 deleting services 7-9 disabling 7-13 inactivating 7-13 learning-params, fixed-threshold command 7-15 marking as tuned 5-8, 8-10 marking threshold as fixed 7-15 multiplying thresholds 7-16 navigating path 7-12 packet types 7-10 show statistics 7-24 state 7-13 threshold 7-12, 7-14 threshold-list command 7-17 timeout 7-12, 7-18 traffic characteristics 7-11 tuning thresholds 1-4, 8-2, 8-6 using wildcards 7-12, 7-23, 7-24 viewing statistics 8-8 policy set-timeout command 7-18 policy template command 7-4, 7-6 configuration command level 7-4 configuration mode 3-3 displaying list 7-4 Guard policy templates for synchronization 7-3 max-services 7-5 min-threshold 7-6 overview 7-2 parameters 7-4 state 7-6 worm_tcp 7-4 policy-template add-service command 7-9 policy-template remove service command 7-9 policy-type activation form 9-4 port scan 11-5 detected anomalies 11-2 policy template 7-3 power enable command 2-11 privilege levels 3-2 assigning passwords 4-9 moving between 4-10 protect activation methods 9-3 automatic mode 9-3, 10-1 deactivating 9-5 interactive mode 10-1 protect command 9-5 protection-end-timer 9-7, 9-8 protect-ip-state command 9-3 protect learning command 8-6 protocol traffic characteristics 7-11 proxy policy templates, no proxy policy templates 7-4 public key, displaying 4-24 R rates history 12-4 viewing 12-4 reactivate-zones 13-8 rebooting parameters 13-8 recommendations 10-1 accepting 10-7 activating 10-3, 10-6 change decision 7-19 command 10-6 deactivating 10-3, 10-8 dynamic filters 10-1 ignoring 10-7 overview 10-1 viewing 10-4 viewing pending-filters 10-3, 10-5 reload command 13-8 remote-activate policy action 7-19 remote Guard activating 6-14 terminating protection 9-7, 9-8 remote-guard command 9-7, 9-8 remote Guard list displaying 9-7, 9-8 remote Guards activating 9-5 default list 9-7 list 9-8 list activation order 9-8 remove service command 7-9 renumbering flex-content filters 6-3 report See attack report 11-1 reports details 11-4 exporting 13-6 reqs packet type 7-11 reset command 2-11 router configuration mode 3-3 routing table manipulation 3-10 viewing 3-11 running-config copy 5-14, 13-3 show 12-3 S scanners traffic characteristics 7-12 service adding 7-9 command 3-11, 3-13, 4-2 copy 8-16 deleting 7-9 MDM 3-13 permissions 4-3 snmp-trap 4-26 WBM 3-11 services, enabling 4-2 session, configuring timeout 4-33 session, displaying idle timeout 4-33 session timeout, disabling 4-33 session-timeout command 4-33 set-action 7-19 show commands counters 12-5 cpu 12-24 diagnostic-info 12-22 dynamic-filters 6-13 file-servers 13-3, 13-8 flex-content-filter 6-9 host-keys 4-20, 4-23 learning parameters 8-8 learning-params 7-15 log 12-9 log export-ip 12-9 logging 12-9 login-banner 4-30 memory 12-23 module 2-2, 13-11, 13-12 packet-dump 12-13 packet-dump signatures 12-20 policies 7-23 policies statistics 7-24, 8-8 public-key 4-23, 4-24 rates 12-4 recommendations 10-4 recommendations pending-filters 10-3, 10-5 remote-guards 9-7, 9-8 reports details 11-4 running-config 12-3 show 12-4 sorting dynamic-filters 6-13 sync-config 5-16 sync-config file-servers 5-16, 13-7, 13-8 templates 5-5 zone policies 7-23 show privilege level 3-2, 4-6 show public-key command 4-25 shutdown command 3-9 signature generating 12-19 snapshot backing up policies 7-25, 8-17 command 8-12 comparing 8-13 deleting 8-15 displaying 8-15 overview 8-12 saving 8-12, 8-13 saving periodically 8-8 SNMP configuring trap generator 4-26 traps description 4-27 snmp commands community 4-29 trap-dest 4-26 software license key, displaying key information 12-2 software version number, displaying 12-2 SPAN, configuring 2-7 specific IP threshold 7-17 spoofed attacks 1-3 src traffic characteristics 7-12 SSH configuring 3-13 deleting keys 4-24 generating key 4-21, 4-24 host key 4-22 service 3-13 viewing public key 4-23 ssh key, publishing 4-22 state command 7-13 static route, adding 3-10 supervisor engine booting 2-11 configuring 2-1 powering off 2-11 resetting 2-11 saving configuration 2-1 shutting down 2-11 verifying configuration 2-12 syn_by_fin packet type 7-11 sync command 5-12, 5-13 synchronization exporting configuration 13-6 syns packet type 7-11 syslog configuring export parameters 12-8 configuring server 12-8 message format 12-8 system log, message format 12-8 T TACACS+ authentication key generate command 4-18 key publish command 4-21 clearing statistics 4-16 configuring server 4-13 server connection timeout 4-15 server encryption key 4-15 server IP address 4-14 viewing statistics 4-16 tacacs-server commands clear statistics 4-16 first-hit 4-13 host 4-13, 4-14 key 4-13, 4-15 show statistics 4-16 timeout 4-13, 4-16 TCP detected anomalies 11-2, 11-5 no proxy policy templates 7-4 policy templates 7-3 templates LINK 8-4 viewing policies 5-5 zone 5-2 thresh-mult 7-16 threshold command 7-14 configuring IP threshold 7-17 configuring list 7-17 configuring specific IP 7-17 marking as tuned 5-8, 8-10 multiplying before accepting 7-15 selection 8-12 setting as fixed 7-15 tuning 1-4, 8-2 worm 7-20 threshold-list command 7-17 threshold selection 8-6 threshold tuning save results periodically 8-8 timeout command 7-18 timeout session, configuring 4-33 timeout session, disabling 4-33 timesaver, symbol overview 1-xvii tip, symbol overview 1-xvii traceroute command 12-29 traffic, monitoring 12-15 traffic sources capturing 2-3 configuring 2-3 SPAN 2-3 VACL 2-3 trap 12-8 trap-dest 4-26 tuning policy thresholds 8-6 U UDP detected anomalies 11-3 policy templates 7-3 unauth_pkts packet type 7-11 unauthenticated TCP detected anomalies 11-3 upgrade command 13-19 upgrade license 13-17 upgrading AP 13-10 inline 13-13 MP 13-12 user-detected anomalies 11-3 user filter command 6-3 username encrypted password 4-6 username command 4-6 users adding 4-6 adding new 4-6 assigning privilege levels 4-6 deleting 4-8 privilege levels 3-2, 4-9 system users admin 2-9 riverhead 2-9 username command 4-6 V VACL, configuring 2-4 version, upgrading 13-19 W WBM activating 3-11 WBM logo adding 4-32 deleting 4-33 worm dynamic filter 7-22 identifying attack 7-22 overview 7-20 policy 7-11, 7-12 policy templates 7-3, 7-21 thresholds 7-20, 7-21 worm_tcp policy template 7-4 X XG software image license key 13-17 obtaining software image 13-17 XG software version, 2-Gbps operation 13-16 XML schema11-6to 11-8, 12-15, 13-7 Z zombies 1-3 zone anomaly detection 9-1 clearing counters 12-6 command 5-4, 5-5, 10-3 command completion 4-12, 5-6 comparing 8-14 configuration mode 3-3, 5-6 copying 5-5 creating 5-4 defining IP address 5-7 deleting 5-5 deleting IP address 5-8 duplicating 5-5 excluding IP address 5-7 exporting configuration 5-16 IP address 5-7 learning 8-1 LINK templates 8-4 modifying IP address 5-8 operation mode 5-5 reconfiguring 5-6 synchronize configuration 5-8 synchronizing automatically 5-11 synchronizing offline 5-14 templates 5-2 viewing configuration 5-7 viewing policies 7-23 viewing status 12-4 zone policy marking as tuned 5-8, 8-10 zone synchronization 8-3
	Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks